[help] Understanding WoW's anti-disassembly technique(s)

[Valldex]

Hi! I've done a decent amount of research and have become stuck, so hopefully one of you can help me?

I'm trying to understand why IDA cannot understand a subroutine.

I'm disasembling WoW 8.3.6 (35662), and have used Overwatch dump fix to de-obfuscate (also Jadd's lua function renaming + offset finder just to help a bit (thanks for script btw m)

Now I'm comparing the two side by side, using the lua function 'JumpOrAscendStart()' as an example.

Searching the Strings, I can find the offset

Code:

.data:000000014282AF90 F0 AD 2C 42 01 00+                dq offset aJumporascendst ; "JumpOrAscendStart"
.data:000000014282AF98 60 AC 63 41 01 00+                dq offset qword_14163AC60

Now, jumping to that offset, I see that IDA is not able to disassemble:

Code:

.text:000000014163AC60 6D 88 A9 F8 D4 4D+qword_14163AC60 dq 21AF4DD4F8A9886Dh, 62722451E4589271h, 164A19B420A5658Bh
.text:000000014163AC60 AF 21 71 92 58 E4+                                        ; DATA XREF: .rdata:0000000142542EB4↓o
.text:000000014163AC60 51 24 72 62 8B 65+                                        ; .rdata:0000000142542EEC↓o ...
.text:000000014163AC60 A5 20 B4 19 4A 16+                dq 13E28A8D542AB2A1h, 19F5B4E1F40B1C9Dh, 48898C76CBB74A53h

However, comparing my de-obfuscated client, IDA manages to cleanly disassemble that location:

Code:

.text:00007FF6A036AC60 40 53                             push    rbx
.text:00007FF6A036AC62 48 83 EC 20                       sub     rsp, 20h
.........

What I'm totally confused about, the contents at that address is totally different between the original and de-obfuscated client. E.G at AC60, we have 6D 88... compared to 40 53... for both clients respectively. How is that possible?
From what I understand, most anti-disassembly techniques involve tricking the disassembler into misinterpreting the data/code. How is it possible for me to understand what's going on here without the help of a tool such as the dump fix??

Cheers


[bonus question if you're feeling super helpful: how do I find click to move offset lol]

[clestor]

Hi! I've done a decent amount of research and have become stuck, so hopefully one of you can help me?

I'm trying to understand why IDA cannot understand a subroutine.

I'm disasembling WoW 8.3.6 (35662), and have used Overwatch dump fix to de-obfuscate (also Jadd's lua function renaming + offset finder just to help a bit (thanks for script btw m)

Now I'm comparing the two side by side, using the lua function 'JumpOrAscendStart()' as an example.

Searching the Strings, I can find the offset

Code:

.data:000000014282AF90 F0 AD 2C 42 01 00+                dq offset aJumporascendst ; "JumpOrAscendStart"
.data:000000014282AF98 60 AC 63 41 01 00+                dq offset qword_14163AC60

Now, jumping to that offset, I see that IDA is not able to disassemble:

Code:

.text:000000014163AC60 6D 88 A9 F8 D4 4D+qword_14163AC60 dq 21AF4DD4F8A9886Dh, 62722451E4589271h, 164A19B420A5658Bh
.text:000000014163AC60 AF 21 71 92 58 E4+                                        ; DATA XREF: .rdata:0000000142542EB4↓o
.text:000000014163AC60 51 24 72 62 8B 65+                                        ; .rdata:0000000142542EEC↓o ...
.text:000000014163AC60 A5 20 B4 19 4A 16+                dq 13E28A8D542AB2A1h, 19F5B4E1F40B1C9Dh, 48898C76CBB74A53h

However, comparing my de-obfuscated client, IDA manages to cleanly disassemble that location:

Code:

.text:00007FF6A036AC60 40 53                             push    rbx
.text:00007FF6A036AC62 48 83 EC 20                       sub     rsp, 20h
.........

What I'm totally confused about, the contents at that address is totally different between the original and de-obfuscated client. E.G at AC60, we have 6D 88... compared to 40 53... for both clients respectively. How is that possible?
From what I understand, most anti-disassembly techniques involve tricking the disassembler into misinterpreting the data/code. How is it possible for me to understand what's going on here without the help of a tool such as the dump fix??

Cheers


[bonus question if you're feeling super helpful: how do I find click to move offset lol]

Did you use IDA to decompile Wow directly(not dumped from memory )? Wow is packed , and the whole program will be unpacked and initialized after TLS called.

[Valldex]

Did you use IDA to decompile Wow directly(not dumped from memory )? Wow is packed , and the whole program will be unpacked and initialized after TLS called.

Ahhh I did not know there was a difference between decompiling directly and dumping from memory. I realise now that to generated the de-obfuscated version, I followed a guide to dump from memory. That makes sense!

So WoW has executable compression, and is inflated/unpacked at the beginning? I see.

So really, now that I have the de-obfuscated client, there is no real reason for me to be looking at the exe dump? Or even the obfuscated memory dump, for that matter?

Thanks for the reply!

[Jadd]

So really, now that I have the de-obfuscated client, there is no real reason for me to be looking at the exe dump? Or even the obfuscated memory dump, for that matter?

Unless you're reversing the unpacking process: no.

[air999]

[bonus question if you're feeling super helpful: how do I find click to move offset lol]

bonus answer: it doesn't help you much, as CTM coordinate is dynamically encoded.